Got it to work, it only works when you index CSV data, not when you use the HTTP Event collector. Will create other question about that.
For those interested, using ADD_EXTRA_TIME_FIELDS add the fields as dimensions in the Metrics Index, so it's properly not an god idea, as it will give overhead to number of dimensions/cardinality, have to test it with a large number of results with different values to see the performance/memory overhead.
CSV file:
metric_timestamp,metric_name,_value
1508756758.000,Test,0.50
1508756758.000,Test2,1.50
Props:
[mcg_apm_metrics_csv]
ADD_EXTRA_TIME_FIELDS = True
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = metric_timestamp
TIME_FORMAT = %s.%Q
category = Metrics
description = Comma-separated value format for metrics. Must have metric_timestamp, metric_name, and _value fields.
disabled = false
pulldown_type = 1
Used this command to see what was stored in the Splunk Index: c:\Program Files\Splunk\bin>splunk cmd walklex "C:\Program Files\Splunk\var\lib\splunk\mcg_apm_response_metrics_hour\db\hot_v1_1\1507908525-1507598431-3077548847437235074.tsidx" ""
my needle:
0 2 host::rt-laptop
1 1 metric_name::Test
2 1 metric_name::Test2
3 2 source::metrics_data.txt
4 2 sourcetype::mcg_apm_metrics_csv
5 1 _catalog::Test2|date_hour|date_mday|date_minute|date_month|date_second|date_wday|date_year|date_zone
6 1 _catalog::Test|date_hour|date_mday|date_minute|date_month|date_second|date_wday|date_year|date_zone
7 2 _dims::date_hour
8 2 _dims::date_mday
9 2 _dims::date_minute
10 2 _dims::date_month
11 2 _dims::date_second
12 2 _dims::date_wday
13 2 _dims::date_year
14 2 _dims::date_zone
15 2 _subsecond::.000
16 2 date_hour::11
17 2 date_mday::23
18 2 date_minute::5
19 2 date_month::october
20 2 date_second::58
21 2 date_wday::monday
22 2 date_year::2017
23 2 date_zone::0
24 2 host::rt-laptop
25 1 metric_name::test
26 1 metric_name::test2
27 2 source::metrics_data.txt
28 2 sourcetype::mcg_apm_metrics_csv
... View more